Back to one of my pet issues: the global cybersecurity skills shortage. According to ESG research, 46% of organizations say they have a “problematic shortage” of cybersecurity skills in 2016. By comparison, 28% of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015, so we’ve seen an 18% year-over-year increase.
So there is a universal shortage of infosec talent, but where are these deficiencies most acute? According to a survey of 299 IT and cybersecurity professionals:
- 33% of organizations say they have a shortage of cloud security specialists. This makes sense as it combines the shortage of cybersecurity skills with evolution of cloud computing. Other ESG research indicates that large organizations are creating jobs for cloud security architects, so demand is especially high. Cybersecurity professionals should think about pursuing a cloud security certification from CSA or SANS as part of their career development plan. There are more jobs than people and enterprise organizations are tripping over each other to hire talent as quickly as they can.
- 28% of organizations say they have a shortage of network security specialists. To me, this really reinforces how bad the cybersecurity skills shortage is since network security is the “motherhood and apple pie” core cybersecurity skills needed by all organizations. Still, there are numerous changes in networking (i.e. SDN/NFV, micro-segmentation, attribute-based access controls, etc.) that will require strong network security skills. Networking professionals may want to consider a career change to capitalize on this opportunity.
- 27% of organizations say they have a shortage of security analysts. No surprise here. Security analyst skills (i.e. threat analysts, SOC personnel, incident responders, etc.) take years to develop so organizations are constantly poaching talent from one another. Recently, I’ve heard that big cloud and social networking services like Amazon, Facebook, and Google have been especially aggressive in their hiring efforts. Recognizing that they can’t compete, CISOs are recruiting at the entry level, investing in training and mentoring programs, and asking new hires to give them a few good years.
- 26% of organizations say they have a shortage of data security specialists. This one may surprise some folks but not me. Data security tends to include major projects like discovery and classification, granular policy development, and esoteric skills like key management. Overall, data security is one of the most under-appreciated disciplines in the cybersecurity body of knowledge. There aren’t enough good technologies and there aren’t enough skilled people. Data security may not be the sexiest cybersecurity skill set but employers are paying top dollar and there aren’t many candidates in this area. Cybersecurity professionals who specialize in this area may have job security for life.
Cybersecurity education tends to follow an extremely broad curriculum. Some institutions (like my alma mater, UMass) don’t even break out cybersecurity on its own but rather treat it as a subset of computer science. Yes, we need cybersecurity generalists but ultimately specialization matters. Employers need specific skills to fill gaps while cybersecurity professionals can accelerate their careers with training and skills development in high-demand areas.
This is the conundrum we face as an industry. Until we develop a strategic plan to greatly improve the supply side of cybersecurity skills, the demand side will become increasingly chaotic.